Remove session store secret (#10074)

Fixes #10033

packages/twenty-server/.env.example

@@ -70,7 +70,6 @@ FRONT_PORT=3001
 # MUTATION_MAXIMUM_AFFECTED_RECORDS=100
 # CHROME_EXTENSION_ID=bggmipldbceihilonnbpgoeclgbkblkp
 # PG_SSL_ALLOW_SELF_SIGNED=true
-# SESSION_STORE_SECRET=replace_me_with_a_random_string_session
 # ENTERPRISE_KEY=replace_me_with_a_valid_enterprise_key
 # SSL_KEY_PATH="./certs/your-cert.key"
 # SSL_CERT_PATH="./certs/your-cert.crt"

packages/twenty-server/src/engine/core-modules/environment/environment-variables.ts

@@ -828,15 +828,6 @@ export class EnvironmentVariables {
   @IsString()
   APP_SECRET: string;
 
-  @EnvironmentVariablesMetadata({
-    group: EnvironmentVariablesGroup.ServerConfig,
-    sensitive: true,
-    description: 'Secret for session store',
-  })
-  @IsString()
-  @IsOptional()
-  SESSION_STORE_SECRET = 'replace_me_with_a_random_string_session';
-
   @EnvironmentVariablesMetadata({
     group: EnvironmentVariablesGroup.ServerConfig,
     subGroup: EnvironmentVariablesSubGroup.RateLimiting,

packages/twenty-server/src/engine/core-modules/session-storage/session-storage.module-factory.ts

@@ -1,3 +1,5 @@
+import { createHash } from 'crypto';
+
 import RedisStore from 'connect-redis';
 import session from 'express-session';
 import { createClient } from 'redis';
@@ -12,8 +14,18 @@ export const getSessionStorageOptions = (
 
   const SERVER_URL = environmentService.get('SERVER_URL');
 
+  const appSecret = environmentService.get('APP_SECRET');
+
+  if (!appSecret) {
+    throw new Error('APP_SECRET is not set');
+  }
+
+  const sessionSecret = createHash('sha256')
+    .update(`${appSecret}SESSION_STORE_SECRET`)
+    .digest('hex');
+
   const sessionStorage: session.SessionOptions = {
-    secret: environmentService.get('SESSION_STORE_SECRET'),
+    secret: sessionSecret,
     resave: false,
     saveUninitialized: false,
     proxy: true,